Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Protecting health apps on the web from the evils of the Internet

John Halamka, MD
Tech
October 3, 2011
Share
Tweet
Share

The Internet can be a swamp of hackers, crackers, and hucksters attacking your systems for fun, profit and fraud.  Defending your data and applications against this onslaught is a cold war, requiring constant escalation of new techniques against an ever increasing offense.

Clinicians are mobile people.  They work in ambulatory offices, hospitals, skilled nursing facilities, on the road, and at home.   They have desktops, laptops, tablets, iPhones and iPads.  Ideally their applications should run everywhere on everything.   That’s the reason we’ve embraced the web for all our built and bought applications.   Protecting these web applications from the evils of the Internet is a challenge.

Five years ago all of our externally facing web sites were housed within the data center and made available via network address translation (NAT)  through an opening in the firewall.   We performed periodic penetration testing of our sites.  Two years ago, we installed a Web Application Firewall (WAF) and proxy system.    We are now in the process of migrating all of our web applications from NAT/firewall accessibility to WAF/Proxy accessibility.

We have a few hundred externally facing web sites.  From a security view there are only two types, those that provide access to protected health information content and those that do not.   Fortunately more are in the latter than the former.

One of the major motivations for creating a multi-layered defense was the realization that many vendor products are vulnerable and even when problems are identified, vendors can be slow to correct defects.   We need  “zero day protection” to secure purchased applications against evolving threats.

Technologies to include in a multi-layered defense include:

1.  Filter out basic network probes at the border router such as traffic on unused ports

2.  Use Intrusion Prevention Systems (IPS)  to block common attacks such as SQL Injection and cross site scripting. We block over 10,000 such attacks per day.   You could implement multiple IPSs from different vendors to create a suite of features including URL filtering  which prevent internal users from accessing known malware sites.

3.  A classic firewall and Demilitarized Zone (DMZ)  to limit the “attack surface“.

Policies and procedures are an important aspect of maintaining a secure environment.   When a request is made to host a new application, we start with a Nessus vulnerability scan.

Applications must pass the scan before we will consider hosting them.   We built a simple online request form for these requests for access to both track the requests and keep the data a SQL data base.    This provides the data source for an automated re-scan of each system.

Penetration testing of internally written applications is a bit more valuable because they are easier to update/correct based on the findings of penetration tests.

One caveat.   The quality of penetration testing is highly variable.    When we hire firms to attack our applications, we often get a report filled with theoretical risks that are not especially helpful i.e. if your web server was accidentally configured to accept HTTP connections instead of forced HTTPS connections, the application would be vulnerable.   That’s true and if a meteor struck our data center, we would have many challenges on our hands.  When choosing a penetration testing vendor, aim for one that can put their findings in a real world context.

ADVERTISEMENT

Thus, our mitigation strategy is to apply deep wire based security, utilize many tools including IPS, traditional firewalls, WAF and proxy servers, and perform periodic re-occurring internal scans of all systems that are available externally to our network.

Of course, all of this takes a team of trained professionals.

I hope this is helpful for your own security planning.

John Halamka is Chief Information Officer of Beth Israel Deaconess Medical Center and blogs at Life as a Healthcare CIO.

Submit a guest post and be heard on social media’s leading physician voice.

Prev

Lawsuits are more of an emotional issue than a financial one

October 3, 2011 Kevin 7
…
Next

Universal board certification can solve the Doctor Nurse controversy

October 3, 2011 Kevin 18
…

Tagged as: Health IT

Post navigation

< Previous Post
Lawsuits are more of an emotional issue than a financial one
Next Post >
Universal board certification can solve the Doctor Nurse controversy

ADVERTISEMENT

More by John Halamka, MD

  • The future of EHR: Here are 5 predictions

    John Halamka, MD
  • 10 crucial guidelines for health care IT

    John Halamka, MD
  • 5 health care IT tips for President Trump

    John Halamka, MD

More in Tech

  • How digital tools are reshaping the doctor-patient relationship

    Vineet Vishwanath
  • The promise and perils of AI in health care: Why we need better testing standards

    Max Rollwage, PhD
  • 3 tips for using AI medical scribes to save time charting

    Erica Dorn, FNP
  • Would The Pitts’ Dr. Robby Robinavitch welcome a new colleague? Yes. Especially if their initials were AI.

    Gabe Jones, MBA
  • Generative AI 2025: a 20-minute cheat sheet for busy clinicians

    Harvey Castro, MD, MBA
  • Why public health must be included in AI development

    Laura E. Scudiere, RN, MPH
  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why public health must be included in AI development

      Laura E. Scudiere, RN, MPH | Tech
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
  • Recent Posts

    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why helping people means more than getting an MD

      Vaishali Jha | Education
    • How digital tools are reshaping the doctor-patient relationship

      Vineet Vishwanath | Tech
    • Why evidence-based management may be an effective strategy for stronger health care leadership and equity

      Olumuyiwa Bamgbade, MD | Physician
    • Why health care leaders fail at execution—and how to fix it

      Dave Cummings, RN | Policy
    • Residency match tips: Building mentorship, research, and community

      Simran Kaur, MD and Eva Shelton, MD | Education

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why public health must be included in AI development

      Laura E. Scudiere, RN, MPH | Tech
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
  • Recent Posts

    • Why medical schools must ditch lectures and embrace active learning

      Arlen Meyers, MD, MBA | Education
    • Why helping people means more than getting an MD

      Vaishali Jha | Education
    • How digital tools are reshaping the doctor-patient relationship

      Vineet Vishwanath | Tech
    • Why evidence-based management may be an effective strategy for stronger health care leadership and equity

      Olumuyiwa Bamgbade, MD | Physician
    • Why health care leaders fail at execution—and how to fix it

      Dave Cummings, RN | Policy
    • Residency match tips: Building mentorship, research, and community

      Simran Kaur, MD and Eva Shelton, MD | Education

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...